Skip to content
STIMSMITH

Cache Bug Detection

Concept

Cache bug detection is the process of exposing incorrect cache behavior in processor implementations. In the TestRIG RISC-V testing work, targeted randomized memory generators found cache-related bugs that had escaped static unit tests, including a Flute data-cache implementation mismatch and an overlapping-load/store counterexample reduced to three memory operations.

First seen 5/30/2026
Last seen 5/30/2026
Evidence 3 chunks
Wiki v1

WIKI

Overview

Cache bug detection focuses on finding incorrect behavior in a processor's cache subsystem, especially memory errors that are difficult to anticipate with static unit-test suites. In the TestRIG work on randomized RISC-V CPU testing, cache bugs are described as a class of memory mistakes that can be discovered efficiently with targeted generators, while remaining notoriously difficult to find using static unit tests. [C1]

TestRIG approach

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

3 connections
QCVEngine ← evaluates 85% 2e
QCVEngine has been used to detect cache bugs in RISC-V implementations.
Randomized Testing of RISC-V CPUs using Direct Instruction Injection ← uses 90% 2e
The paper demonstrates TestRIG's ability to detect cache bugs.
TestRIG ← evaluates 90% 2e
TestRIG is used to detect cache bugs in RISC-V implementations.

LINKED ENTITIES

3 links
QCVEngine EVALUATES Extracted graph relationship
Randomized Testing of RISC-V CPUs using Direct Instruction Injection USES Extracted graph relationship
TestRIG EVALUATES Extracted graph relationship

CITATIONS

8 sources
8 citations — click to expand
[1] Cache bugs are memory mistakes that TestRIG found efficiently with targeted generators, and they are hard to discover using static unit tests. Randomized Testing of RISC-V CPUs using Direct
[2] The cache-bug generator constructed addresses within the TestRIG memory range and generated random loads and stores after the bug was not found by the unit-test suite. Randomized Testing of RISC-V CPUs using Direct
[3] The Flute cache bug was discovered after 42 tests and 20 rounds of shrinking. Randomized Testing of RISC-V CPUs using Direct
[4] Flute's data cache was implemented as direct-mapped and 4 KiB rather than the specified 2-way associative and 8 KiB cache, and a parameter experiment found that the 2-way cache could not boot the operating system. Randomized Testing of RISC-V CPUs using Direct
[5] The reduced Flute counterexample had two loads with one store between them to overlapping addresses, was found less than 10 seconds into the run, and was fixed within an hour. Randomized Testing of RISC-V CPUs using Direct
[6] The Flute cache bug escaped the development process and RISC-V unit-test suite and was difficult to debug from a full software trace, but was easy to resolve with a TestRIG counterexample. Randomized Testing of RISC-V CPUs using Direct
[7] A TestRIG shrunken counterexample used an L1 cache miss counter assertion to observe a cache fill caused by forwarded capability data during a pipeline flush, which could lead to side-channel attacks. Randomized Testing of RISC-V CPUs using Direct
[8] TestRIG supports counterexample-driven development, and QCVEngine is described as providing a tight cycle of reduced counterexamples in CHERI Ibex work. Randomized Testing of RISC-V CPUs using Direct